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Digital Privacy Highway In the ambient world 



Title: The Digital Privacy Highway 
Field of Invention. 

The elimination of Individual Information Security caused by technical change and 
sociological drivers in both the private and public sector is threatening the progress 
and stability of the Information Society. These problems are being pushed into the 
centre of discussions in all regions of the world without acceptable solutions. 

One basic problem is the assumption that the core question is between anonymity or 
identification meaning either non-accountability of individual actions or growing 
dependency on trust and legal regulations to control abuse of identified personal data. 
The use of Pseudonyms with a Trusted party to prevent criminal abuse is even worse, 
because this leads to a concentration of either commercial or public power. 

This invention comprises a series of closely related and integrated part-Inventions that 
eliminate this assumption eliminating the trade-offs between accountability, freedom, 
convenience and efficiency. The outcome is the ability to enable free flow of personal 
data without risk of data abuse by ensuring that the individual remain in control 
through the basic principle of non-linkable accountability. 

This invention solves the core problem of linking the physical world with the digital 
world with asymmetric linkability. The individual can link everything related to him, 
but even with free flow of information it is impossible for externals to link data to the 
specific individual beyond the explicitly created accountability principles that can be 
created dynamically according to the specific application. 

The core invention is implementing the Digital Privacy Highway based on 
anonymous one-time-only virtual Chip Cards or Privacy Reference Points (PRPs) 
combined with accountability negotiation and process support related to payments, 
credentials, delivery, storage, communication and the ability to re-establish contact 
anonymously. This includes a novel invention of anonymous credit and folly 
discardable Identity Cards even containing the basic passport, digital signature or 
international healthcare cards for emergency healthcare support. 

These principles are extended to Privacy Device Authentication implementing 
untraceable Zero-knowledge Device authentication to protect against tracing devices, 
product tags or individuals in ambient computing. This invention provides a genenc 
zero-knowledge solution to protect low-computation product tags such as RFID or 
Bluetooth tags from leaking information to the environment. Zero-knowledge product 
tags are both implemented as product tags attached to products or devices and as 
proximity tags attached to people or people transportation devices. 

Numerous novel privacy solutions is demonstrated to everyday applications such as 
instant messaging, digital event support, trade support, managed CRM and SCM 
solutions, electronic voting, anti-counterfeiting money notes, device authentication 
etc. 
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Description of prior art. 

In electronic transactions protecting both digital and physical privacy is rapidly turning 
into one of the most significant problems of the Information Society. The escalating of 
identification and easy linking of Personally Identified or easily Identifiable Information 
(PII) is driving security risks and problems related to trust between the Client 
(Individual), the Provider (digital counterpart - whether commercial, government or 
social) and infrastructure (bank, telecom, shipping, portals, identity brokers etc.). 

Smart cards (or chip cards) are devices able to cryptographic computations and 
securely storing data and Personally Identifiable Information (PII). State of the art 
Smart Cards are tamper-resistant in the meaning that they will ensure erasureof data 
in cases of attempt to access data by physically breaking into the smart card. This is 
essential to protect for instance access to the private parts of digital signature keys. 

However except for completely anonymous or 100% card-based transaction solutions 
there are no solutions able to provide both privacy and convenience support across 
multiple transactions. Existing approaches to convenience are all based on non- 
privacy solutions where central trusted parties accumulate commercial control and 
abusable profiles on individuals. 

Background . , 

However even though smart cards promise the ability to reasonably ensure 

traceability against unauthorised access to PII using standard encryption with Digital 
Signatures such as Public Key Infrastructure, they prove unable to ensure 
confidentiality of PII in normal information processes from counterpart abuse. 

For instance storing PII on the smart card only to be provided at point of use will not 
prevent the counterpart storing data and building databases linking PII across multiple 
transactions and across different counterparts. Smart cards are subject to theft. So 
the data owner can no longer use the information. Even if NO data were collected at 
point of use, this would be leaving security to the quality of tamper-resistance. 

Rather than real security approaches based on PII are based on trust and legal 
protection towards counterparts subject to massive problems related to the balance 
between security, privacy and convenience. 

One approach to reduce this problem is for a trusted third party to issue for instance 
one-time-only cards for internet credit card transactions. Even though these modefe 
reduce the decentralised risk, they accumulate central risk and do little to provide real 
security. Since they link across transactions and counterparts these central databases 
is an even larger security risk as they are able to create detailed profiles on 
individuals with no inherent security. 

An example of such an approach is US patent application 20010044785 included here 
by reference discussing many of the general issues related to mail-order commercial 
transactions. A central server issues proxy names, email and shipping information to 
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prevent merchant databases from cross-linking. The central server acts as a trusted 
part knowing the real identity of the end-user. 

When using a smart card as a cash card using limited show keys as digital cash 
(Chaum patent ref. woo208865) or credentials (Brands xx) and avoiding the use of any 
persistent identifier (whether person, card or device related) across transactions, tne 
smart card can support anonymous payments or anonymous attribute authentication. 

However for multiple applications this approach does not provide a suitable solution 
and therefore this type of cash card has only limited success. Purely anonymous 
transactions do little in terms of enabling convenience requirements. Another serious 
problem is integrating support for these schemes requiring advanced infrastructure 
support to work. 

Storing all data in a on the smart card and having the data owner only presenting 
non-identifying information on use will not solve the problem. 

The basic problem is that most applications will require agent-support from an 
increasingly intelligent infrastructure such as establishing credit in payments, 
communicate, negotiate or just providing real-time access to profile information that 
is not stored on the card. But doing this is not solved without the use of persistent 
identifiers related to devices such as card numbers or MAC-addresses or the person 
such as Social Security Numbers or the public part of a Digital Signature. 



State of the art in smart card and PKI technology is that there are little or no solutions 
as to avoid information from daily transactions being collected in databases in ways 
that are easily traceable to the real identity of the holder of the smart card. Privacy 
issues can be a blocking factor for the entire Information Society 
(http://www.eeurope-smartcards.org/Download/04-l.PDF). 



State of the art in Digital Rights Management Systems such as US Patent 6,330,670 
included here by reference is based on systems that create external linkability to 
devices or identities. These solutions in addition provide direct addressability of 
devices and provide the ability to restrict the end-user beyond the interest of Digital 
Rights Protection. For instance external control of the root CPU can provide the ability 
to implement restrictions on running software or listening to music from other 
providers. This can even be implemented later as an element of a forced software 
update. 

Present state-of-the-art in Digital Rights Management System (or Trusted Computing) 
has not solved the basic problem, because the end-user or end-user devices are 
externally traceable and the end-user does not have device control destroying both 
trust end security. 

The patent application/A method and System for establishing a Privacy 
Communication path", ref. wooi90968, included hereby reference by the same inventor 
provide a solution to Digital Rights Management Systems tracing mobile phones or 
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other communication devices. This is done through a chip card implementing multiple 
context-specific and infrastructure supported identities in order to hide the actual 
device identity from software running in the device. 

The same patent provides several solutions on how to privacy-enhance and secure 
standard payment card transactions. One security solution is cross-authentication 
using a second communication channel such as a mobile phone. A privacy measure is 
a crowd-effect reusing the same credit card across a larger group of people with the 
same inline cross-authentication using a second communication channel. For online 
payments the use of one-time-only card references towards a trusted party who can 
then employ any privacy solution towards the bank payment system. 

The same patent application also provide general solutions to strong privacy solutions 
using smart cards in trusted mobile devices (Privacy Authentication Device) such as 
Mobile phones, PDAs, portable computers etc. In this solution the context-specific 
credit card reference is closely linked to a context-specific pseudonym using a Privacy 
Authentication Device to establish the ability to communicate, trade and enter into 
legally binding transactions. Herein the Privacy Authentication Device is assumed to 
either authenticate directly storing multiple keys or establish encrypted non-identified 
tunnel connections to one of several home bases using reverse authenticates to 
protect against device trace. 



Using the present invention this approach is fully extended to cover all aspects of 
device communication. This invention is explicitly solving these problems by 
eliminating the external linkability and direct device control without preventing Digital 
rights Management. 

Through Privacy Enhancing Technologies these problems related to security and trust 
concerning PII can be solved or at least significantly improved technically. 



Invention: 

This invention solves the problem of simultaneous privacy, security and convenience 
in Chip Cards used in un-trusted environments defined as foreign chip card reader. 
The communication between the chip card and the chip card reader can be either 
based on physical connection or any wireless communication standard such as WLAN, 
Bluetooth, infrared etc. 

Two main invention parts in combination form the ability to enter into anonymous 
credit-based transactions. 

The invention solves the problem of a Client connecting multiple transactions using 
the same card across multiple providers and retaining full control over the level of 
linkability by both Providers and Infrastructure. 
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and strong security solution for debit or credit cards payments in Chip Cards in un- 
trusted environments, i.e. using a foreign chip card reader. 

In environments where the only available communication path is an electronic chip 
card reader provided by the counterpart such as a merchant, problems of how to 
conduct transactions without leaving identifying information are significant. This is 
what we can call un-trusted environment since both the counterpart and the 
infrastructure provider can be assumed to prefer identification and thereby depriving 
the individual of control of PII. 

This invention provides the flexible means for the individual to control the level of 
linkability of transactions towards the counterpart without limiting convenience or 
privacy. The smart card wilt for each transaction issue a unique transaction code and 
an authentication mechanism which he can later assume control of using a 
pseudonym which can be anonymous. 

The invention provides a solution as to the use of more sophisticated Privacy 
Enhancing Technologies even if the Provider is not equipped for this. The smart card 
communicates with a service provider which translates the advanced and 
sophisticated PET technologies like Digital Cash, Credentials etc. into more simple 
standards such as credit card protocols or verified Client profiles. 

In addition the invention provides the solution to a series of core problems related to 
the balance between convenience and Privacy including Anonymous Credit and 
infrastructure support of multi-application privacy enhanced smart cards. 
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Disclosure of the Invention 

This invention is based on two key inventions. 

Firstly the means to turn a physical chip card into multiple virtual and non-linkable 
chip cards by use of one-time-only Privacy References (PRPs) replacing Persistent 
Card identifiers such as for instance credit card number. This is combined with means 
to later reconnect to the transaction through a non-identifying communication 
network. By inserting these Cards into fixed, wireless or mobile Card Readers, the 
Client is provided with the means to intelligently manage multiple virtual identities 
and receive personalised services while still retaining control of the ability of others to 
link personal data to the real identity of Client. 

Secondly the means for Clients to take control of electronic product communication 
devices (EPC-Devices) such as RFID, Bluetooth or more advanced devices using a 
principle of zero -knowledge authentication. EPC-Devices simply will not respond or 
acknowledge their existence unless properly authenticated. 

EPC-devices can be linked to a product or service such as for instance an RFID sewn 
into a shirt. They can also be tightly integrated and providing advanced controls such 
as for instance a digital car key directly linked to the petrol injection and customised 
settings or a house alarm linked to the home communication infrastructure resetting 
communication preferences of the individual to the home environment. 

Together these inventions make it possible for individuals to control their digital 
environment without risk of leaving identified personal data in databases usable for 
privacy violations. 



Description of Figures 

Figure 10 illustrate the basic invention of creating and re-linking virtual chip cards. 
Figure 20 illustrate the linking between the product life cycle in the commercial value 
chain and how the product transfer to consumer privacy control and then eventually 
re-enter the product life cycle for recycling of materials etc. 

Figure 100 illustrate the basic infrastructure for privacy chip cards. 

Figure 110 illustrate the creation of a pseudonymous basic relationship. 

Figure 120 illustrate privacy-managed payment and credential support. 

Figure 130 illustrate the preferred solution for anonymous credit. 

Figure 140 illustrate how to include untraceable accountability for pseudonymous 

relationships. . . . 

Figure 150 illustrate how the to privacy-enable standard credit-card payments. 
Figure 160 illustrate how the solution can extend by direct management of personal 
identities using wireless or other personal communication devices. 

Figure 200 illustrate privacy-managed digital signatures with instant revocability 

Figure 400 illustrate the basic infrastructure per privacy-enabled RFID using untrusted 
RFID and chip card readers. 
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Figure 410 illustrate the use of mobile devices for controlling RFIDs using untrosted 
RFID and chip card readers. 

Figure 420 illustrate how to create a Privacy Proximity Ticket using a combination of 
Group Authentication and PRPs 

Figure 430 illustrate how to create connections between anonymous sessions 
Figure 450 illustrate a zero -knowledge authentication process including group 
authentication and device authentication 

Figure 500 illustrate a mobile device able to directly control the personal space. 



Figure 100 show the preferred setup for multi-application chip card infrastructure. 
The Chip Card (100-20) is communicating one-time only References to the Card 
Reader (100-10) using the communication channel (100-100) which can be any open 
protocol over both fixednet or wireless channel. The Card Reader provides the 
connection to the Shop Computer (100-300), but this can also be done directly using 
for instance wireless communication protocols. The one-time only Reference is 
forwarded to the Service Provider (100-40) together with instructions encrypted inside 
the Chip Card. Client can from his Client base (100-50) take control of the transaction 
without revealing his real identity through either some sort of mixnet or other 
anonymising network (100-60) or an Identity Provider/pseudonymising unit (100-80 
through any communication channel 100-150), Depending on the encrypted 
instructions, the Service Provider (100-40) can verify anonymous payment or 
credential mechanisms directly (100-130) with financial institutions (100-70), or 
indirectly by forwarding chip card encrypted instructions to the Identity Provider (100- 
80). 

A standard so-called EMC-chip card payment can be emulated so that the Shop 
Computer (100-30) and Card Reader (100-10) does not have to alter, but still the 
Financial Institution (100-70) see the either Identity Provider (100-80) in case of 
standard credit payments or Service Provider (100-40) for anonymous payments as 
the Shop. The Service Provider gets payment confirmation either directly or through 
the Identity Provider and can therefore verify payment towards the Shop Computer 
(100-30). 

Key to the advantage of setup is that the Service Provider and the Shop cannot 
separate two transactions with the same chip card from two transaction with two 
separate chip cards unless Client want it so. 

If the encrypted instruction to the Service Provider (100-40) contains a data reference 
derived from a Shop Identifier, Client can instruct the Service Provider to link the 
transaction with previous transactions with the same Shop for Client convenience. In 
addition the Service Provider can be instructed to report this link back to the Shop as 
part of the transaction and thereby enabling the Shop to create anonymous customer 
profiles or turning the Chip Card into Shop Loyalty card. 



Client can maintain two-way communication with the Shop (100-30) through the 
service Provider (100-40) without ever revealing his true Identity. 
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Basic relati nship 110 illustrates the most basic usage and generic use of this 
invention. By entering the Chip Card in a reader, Client creates a simple 
communication channel for the Shop to communicate with Client through the Service 
Provider (110-40). In addition to a One-time only Reference, the Chip Card must 
initiate an authentication mechanism for Client to prove ownership of the Relationship 
and optionally share an encryption key with the Shop to ensure that the Service 
Provider cannot read communication. In addition the Chip Card will encrypt Shop 
information for Client use upon re-connecting from the Client Base (110-50). The 
Client Base can be from any device able to communicate and do the computation - 
even a Chip Card, but the Client Base is assumed to be a Trusted Device such as a 
portable computer, a PDA, a mobile phone or any computer at work or at home. 

The Shop can use the One-time Only Reference as an address towards the Service 
Provider who can then either store the message until collected by Client (Pull) or use 
pre-prepared Mixnet Reply-blocks to forward the message to Client (Push) without the 
Service Provider being able to identify Client. 

The context when establishing this relationship determines the use, which can range 
from subscribing to a news list over the privacy alternative to providing a business 
card to answering detailed questionnaires to participate in any scheme without risk of 
data leakage and use outside of the specific context, 

A vital part is that if the Client identity is strong enough to get acceptance from data 
protection authorities then the relationship setup can be considered anonymous in the 
context of Data Protection laws. If so data registrations are not requiring permission in 
the legal definition since Client is in Control of customer profile data. 

Figure 120 take a step further and enable support for Managed Services of Digital 
Cash or Digital Credentials, even if the Shop is not equipped to handle these 
technologies. The Shop Computer (120-30) forward payment instructions including 
Ship Id, Amount, Transaction Id, Date and optionally a digital invoice to the Chip Card 
Reader and terminal (120-10). The Card Reader can assume the Chip Card (120-20) 
is a standard Chip Card emulating standard credit cards interfaces. This can be either 
direct contact or wireless communication (120-100). The Chip Card emulates a 
standard interface by using a One-time Only Reference or reuse the same Chip Card 
Id depending on the standard. The Chip Card then interacts with Client through the 
Card Reader interface for instance using a multi-pin setup and chooses action 
according to Client Instructions. 

For an ordinary payment the Chip Card pay to the Service Provider (120-40) using 
Digital Cash encrypting the message to the Service Provider and forwarding this 
encrypted message containing the Digital Cash Show protocol through the Card 
Reader to the Service Provider. The Service Provider finalise the Digital Cash 
transaction with the relevant Financial Institution (120-70) over any communication 
channel such as a fixed VPN internet connection for large-volume transactions. Upon 
clearance from the Financial Institution the Service Provider acknowledges payment 
vs. the Shop according to the payment interface standard. 
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At this point the Service provider can provide transaction services towards for 
instance sales taxes, fees, VAT and special problems related to for instance cross- 
border transactions. 



A special variant of the payment scheme in Figure 120 is illustrated in Figure 130. 
If Client prior to the transaction has established a credit line with a Financial 
Institution (130-70) which is then translated into Digital Credential Tokens stored in 
the Chip Card (130-20), this setup is able to establish anonymous credit. If a 
sufficient large group of Client use these Anonymous Credits and create a crowd 
effect, the Financial Institution cannot determine what a specific credit was used to 
purchase. They can, however, still know on a group basis and thereby make various 
partner agreements between financial institutions and shop possible. 

In the preferred setup the Financial Institution (130-70) issue Credit tokens on a 
rollover basis with overlap meaning that there will be an issue period (of say 3 
months). When the rollover period ends, Client cash in unused tokens and I receive 
new ones. Used tokens are transformed into a loan. When Client use credit tokens to 
pay, it works like Anonymous Digital Cash or Digital Credentials since the Financial 
Institution (130-70) can determine that the specific credit token is issued by a specie 
financial institution or group of institution and thereby honour the payment claim. To 
compensate for differences in purchase dates in the issue period, interest from time of 
purchase to the rollover date can be deducted from the amount. 

If the Client group is sufficiently large for a specific pool of credit tokens, loans can 
even be established on a daily basis selling bonds directly in the financial markets. 
This can either be based on a pro rate risk using Client loans as security or with the 
Financial Institution guaranteeing the bonds and applying a risk premium on Client 
loans. 

This translates into a situation in which Client can anonymously buy a sofa with 
instant credit using financial market interest rates and using the surplus asset value of 
his house as collateral. 



The various parts of the invention 
Privacy Reference Points 

One important aspect of this invention is the ability to establish anonymous 
connections between the offline world and the online world. These are called Privacy 
Reference Point (PRP) which are virtual addresses based on a domain offset link and a 
relative reference (<domain>Ref for instance &ttp;//www,PRPRef,NET/Ref# where 
Ref# is any combination of characters, numbers etc.). 

Whenever a transaction is initiated a PRP is provided by the Chip Card as the 
transaction specific identifier or one-timfronly card number. Except for this identifier 
the Chip Card will leave NO additional identifiers unless voluntary approved by the 
Client as part of the transaction. 
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In case of PRPs provided by a RFID-tag as an RFID pseudonym from a list of 
pseudonyms (such as a ticket) etc. this can contain pre-encrypted information that 
upon forwarding to the Service Provider authorise release of data to the provider of 
services. 

PRPs provide an anonymous way to block for the Chip Card in case of theft and 
asymmetric linkability for enabling convenience and services. 

If the Chip Card attempt to establish an anonymous session, the Client can without 
creating linkability deposit a message to the Chip Card that it is stolen and act 
accordingly either by deleting all content or assist in tracking the thief. 

A PRP provide the ability for the Client later to establish connection with the 
transaction without having to store information in the portable device. In addition it 
can create a communication link to the Client if Client has established an open 
communication channel to the PRP. 



On security in case of loss of the smart card. 

It should not be possible to extract the keys to generate the one-time-only identifiers. 
Meaning there should be NO way for an attacker to be able to generate the historic 
identifiers of user transactions and thereby assume control of transactions. 

Unencrypted Export function of the keys themselves should not be possible. Instead 
one solution is to work with one-time-only export of the one-time-only identifiers (and 
related authentication keys) to a secure client environment (likely home) from where 
the owner can establish connections to his transactions through an identity-protecting 
communications network. 



Anonymous credit 

In many circumstances credit payments is needed which is today covered by use of 
credit cards. Even though anonymous cash using Limited Show Keys is known, paying 
anonymously with credit without the Provider or the Bank linking the purchase to the 
real identity of client is not possible with present knowledge. This invention solves this 
problem using a combination of roll-over lines of credit and a token-based credit 
system which towards a Provider are similar to undeniable digital cash drawn on a 
Financial Institution but to the Client is a drawing right on a pre-approved line of 
credit. The main properties works similar to anonymous Digital Cash, but the way the 
tokens are issued will result in a loan from the Financial Institution to the Client . 

The preferred setup works by a financial institution applying a line of credit to Client. 
Normally the Client is identified towards the bank to establish credit. But the Client 
can also be pseudonymous to the bank itself - treated as a special case after the main 
setup. 
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This line of credit is on a periodically revolving basis transformed into Coins (tokens) 
using Digital Cash Technology, which is limited show keys according to David Chaum 
or Stefan Brands. 

In order to pay with credit, Client will spend his tokens in ordinary shopping as Digital 
Cash. Whenever the financial institution is presented with the use of a token it will 
honour it with a pre-defined amount in cash transfer. The Merchant will receive cash 
and do not have to know that this is a credit payment. 

At the end of each Period the Client can return unused Cdins to the Financial 
Institution and get new ones. Client cannot return used Coins without self- 
incriminating him as multiple use of the same Coin will provide the bank with the 
ability to prove abuse similar to the protection related to multiple use of Digital Cash 
with disclosure of a self -signed confession and identification. 

The difference between Coins issued and Coins returned equal the amount borrowed 
which is then treated as a withdrawal related to the line of credit. If multiple Clients 
use the same type of Coins for the same periods, the bank has no way to tell which 
Client made a specific payment. 

Theft protection can be built in, if Client either store a copy of the Coins or when 
receiving new Coins technically create an offline payment for himself using all the 
Coins. Using this backup protection, the Coins can in case of theft be forwarded to the 
bank. When the thief try to use the Coins for payments, the bank can detect this and 
block payment in real-time. 

When using a Coin for payments the bank can deduct interest until the next roll-over 
date of the line of credit in order to make the withdrawal start according to the use. 

The bank needs to be able to terminate the credit line, if for some reason the line of 
credit has been reduced or terminated. The use of periodically revolving provide both 
an ability for the bank to change the terms of the line of credit and the way to convert 
use into loans on a regular basis. 

Outstanding credit Coins has to be honoured for the duration of the period unless 
Client returns unused Coin in mid-period. Periods should preferably be overlapping in 
order to prevent end-of-month crowd effects. 

Use of tokens can be associated with attributes or other linkage to provide the ability 
to support for instance special discount agreements with merchant. 

When using a intermediary to carry out the interaction with the bank, then the bank 
does not need to know the identity of the Provider thereby further reducing the risk of 
collusion detection on behalf of the bank. 

Pseudonymous line of credit approval can be arranged based on attribute credentials 
in combination with Privacy accountability which is a multi-step re-identification 
process in case of violation. 
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Pseudonymous credit approval can for instance be arranged in the following way. 
Many countries have central registers of Bad Credit Risks including people and entities 
having failed to honour a financial obligation or an outstanding debt. Using Attribute 
Credentials (Stefan Brands xx) a Client desiring credit receives a one-time-only 
attribute credential issued by the Bad Credit Risk Agency that he is NOT on the list. 
When presenting this credential to the Financial Institution, an optimistic line of credit 
based on the knowledge of previous non-default can be issued. 

The Financial Institution can similar issue a credential the line of credit is terminated 
and all loans paid in full. If the setup works with a standard maximum amount, the 
attribute credentials can further be denominated into smaller lines of credit by issuing 
a Credential where each use 

This would most likely be on smaller amounts, but the Financial Institution can build 
the credit risk into the interest required thereby creating pools of higher-risk loans. 



Establishing Privacy-enhanced general accountability 

In some occasions payment risk is not the only risk included. For instance renting a 
car or hiring an internet connection can include criminal activity. A better alternative 
than requiring identification and data retention is to establish a way to identify than 
can only lead to identification if wrongdoing is determined. This is known as Identity 
Escrow. 

Figure 140 describes such a solution in which the message to the Service provider 
(140-40) contains instructions to forward an encrypted message to an Identity 
provider (140-80) linking to a pseudonym with an attached encrypted message 
certified by third-party to contain identifying information of said pseudonym and 
instructions as to the first step of a process to decrypt the message incorporating at 
least one third-party not involved in the transaction at any step. 

Multiple different accountability procedures can be designed balancing the cost and 
difficulty of identification with the potential fraud value of Client and the democratic 
principle value of the activity. For instance the control to return a book to a library or 
for general surfing at news sites or discussion forum should be strongly protected 
whereas the voluntary entering into a credit arrangement likely should only have a 
simple trusted party included the in the identity disclosure process. 

A key issue is that the question of accountability does not make sense if anyone can 
commit identity theft and thereby transfer the responsibility to others. This include on 
one side identity theft of a pseudonym through which ownership of an asset or 
obligation of a liability is established and on the other side the ability to identity theft 
of the base identification which provide the fundamental accountability. 

In other words accountability is dependant on unbroken traceability of an action to a 
unique identity. In the physical world this is based on witnesses, pictures, signatures 
etc In the digital world the technical cryptographic traceability and especially the links 
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to the physical world depends on fewer proofs and the potential crimes large in both 
size and variations bigger in number and potential magnitude, the traces has to be 
stronger and unbroken. 



Basic device security and ownership - Privacy Biometrics Authentication 

For reasons of both protection against Identity theft and protection of personal data in 
case of the device theft, authentication of the Client towards the device itself is 
necessary. Pin code, passwords, crypto boxes etc. only provide proof of knowledge or 
physical access, but it not a real proof of Identity. To achieve proof of identity, 
biometrics is the best way to improve security. To avoid central storage of biometrics 
or biometrics leakage in case of theft, it is important that only a one-way encoded 
version of the biometrics template is stored. In addition this should be done using a 
Chip Card specific encoding. 

In the following we assume the basic security is a combination of both a one-way 
encoding using a Card specific encoding. This could for instance be a one-way low- 
collusion hash of a card specific key XOR'ed with a one-way hash of the biometrics 
template or minimum equivalent security. In addition this is assumed to be 
COMBINED with pin codes, passwords etc. including silent alarm such to decrease the 
likelihood of successful authentication by others than the right Client without 
voluntary collaboration. 

Special attention is to be put on so -called identity or credential lending as basic 
security often ignore this problem and leave it to crime investigation. An example is 
"loosing" a credit card combined with subsequently denying payments or a more 
advanced example of swapping credentials between a paedophile and a drug addict to 
mutual advantage. 



Accountability negotiation 

This makes possible to create accountability profiles describing the accountability level 
of the PACC that a session is authenticated towards. An Accountability Profile would in 
a standardised way describe if, under what circumstances and how escrowed identity 
can be released. 

PACC parameters can include the type of base identification (biometrics etc.)/ the 
legal domain (for instance country or court), amount limits, time limits, category of 
trusted parties, special conditions etc. These can be technically designed into the 

The preferred solution for generic application where it is impossible to determine the 
application risk in case of abuse such as surfing the internet is at least a two-step 
process based on a double encrypted identification of which the outer layer is 
encrypted with the public key of an asymmetric key pair related to the court that 
should determine the justification of identification and an inner encryption layer 
encrypted with the public key of an asymmetric key pair related to a pre-approved 
entity verifying the court procedure. 
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This verification entity can be eternal to the country 'S^SSSSTS^ 
that gradually makes access to decryption keys more difficult as time passes, ror 
SS by encrypting the private decryption key with the public key o £ another 
entity, thus increasing the whistle blowing mechanism in case of attempts of mass 
surveillance or forced access or decryption keys. 

Period-specific public keys can be published by any number of ^ted iwrti^meaning 
She corresponding private key will be deleted within ^^S^SSSS!^ 
preferable in some verifiable manor using for instance s verified hardware i to .store the 
keys. Since public keys are published a trusted party does not know what k.nd of 
secrets is guarded and for whom. 

The core link to the physical world will have to lead back to the basic Identification 

the llmft to accountability. Creating this link between the 
and digital world is in the end a form of biometrics combined w .to a hnk ^certificate 
from some entity that has to be trusted. This issue and espeaaHy jJ^J™* 
reaistration is described in more details in the patent application ref xxx Establishing 
^cy communication path" which is included here by reference. 



Life Linkability 



ThP main Duroose of this invention is to implement the concept of non-linkable 
a^SSyjS ensure that accountability is established with the least possible 
UntebS across transactions so that even if one transaction is made tradable to the 
Kffi^toTnsactions by the same individual are close to impossible to locate. 

However this balance is a political decision. If it is politically decided each step in the 
Son oTa PACC SnVe accompanied with a parallel step creating reverse InkaMrty 
S a Lries of pre-programmed steps can create 

the virtual identities. If all these are stored in an accessible manor full life linkaomty 
can be created. 

One situation where this could be decided would be for «n v ^i crimina L s lP e 1 S!hf S 
of Sn types of crimes or certain duration of penalties - that they loose the right 
STn^lkaK Tbis setup could be implemented using either posfove or negative 
Sedentials . For instance, if the person cannot present a period-specific citizen 
Sntial, the part creating the PACC-steps will also create the reverse entity. 

Creating these data components are significant more sensitive thar » the PACCsince 
inSduafe can be totally targeted after any action has lead to identify the person. 

Features like these would in a preferred implementation only be included on a 
selective basis and not as part of the default PACC process. 

Infrastructure Wiretapping 

Unking all transactions with the same person does not provide access to the 
decryption keys. These can be achieved by contacting the communication 
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counterparties if these are not under investigation. However for investigation serious 
SmSfpteS wiretapping is sometimes requ.red. 

S3S3B3SSSS5? 

operation. 

AaAiraYer] kpvs for each device or virtual chip card protected 
The scheme would use dedicated keys ^eac" a ev rf wQu|d 

with mechanism s.m.lar to the ^ re ^ P ^SJJ entlty . This te significantly 
provide access to devices controlled *™*^Jfi2^ Such a shared secret 
different from using the same shared secret keym , all oev ch and fe 

• key even if it was an asymmetnc key is also Known i as w ^ 
extremely vulnerable to anyone getting access to this Key as ™ h 
access to all communication. 

Features like these are not included in a preferred implementation. 



Privacy Accountability according to application 

accountability. 

From this follows the M elimination of the traded between sea,*, end pnvac*. 

2SS55S£2« — ^ «—* " 1:6 in,Battd 

this session. 

Any session can be £SSS£Sot on 

positive (memberships, c.t.zensh.ps t ^^^"SSherwte limited), 
a criminal block list), temporary ■™2*££^^? ^ult accountable 
reduced accountable i«^^^uSSS^S^^ accountable (for instance 

ESESSSStoiSBB-" 
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infrastructure) and fully identified (towards infrastructure accumulating linkable 
personal data). 

Any service can define its specific requirement for accountability. Similar any session 
will have an inherent accountability level. Matching these will then tell if a certain 
session is able to provide access to a certain service. If the session accountability is 
insufficient, then a higher level of accountability can be established by authenticating 
towards an appropriate PACC or dynamically establishing a PACC according to 
requirements. 

Basically this will mean that infrastructure will be able to provide support to any type 
of service according to the inherent risk. For instance an anonymous session based on 
digital cash payments can achieve access to location services, information services 
and services where participants explicitly accept the risk. 

Any temporary use of public access points or lending can thus be protected without 
leaving a trace sacrificing privacy. For instance libraries with internet access, Internet 
Cafes, Supermarkets, physical doors with access control etc. would all benefit 
significantly from this approach. 



Managed Digital Signature 

An important aspect of discardable Chip Cards is the ability to instantly revoke digital 
signatures even if the Chip Card tamper resistance is broken and at the same time 
sign with identifying Digital Signatures without creating linkability for anyone than the 
suppose part. Several different approaches can be used to establish this presently not 
solved aspect. 

Firstly the private key of the signature can be encrypted with a key that is not present 
on the Chip Card. In order to Sign, the Chip Card will then retrieve the decryption key 
using a method that can be blocked without access to the Chip Card. After accessing 
the private signature key the decryption key and the unencrypted signature key is 
then deleted until next transaction requiring identified signature. 

To make this solution perfect an unbreakable deadlock can be created by further 
encrypting this decryption key using a key stored only at the Chip Card and accessing 
said decryption key can take place either anonymously or using multiple occurrences 
of said decryption key encrypted so that each access is not linkable with the others. 

Creating Instant revocability would just imply deleting the decryption keys or blocking 
access to the decryption key. 

Another solution would be to store the identifying signature key in an encrypted non- 
linkable version (including salt and different hybrid encryption schemes etc.) at some 
or all Privacy Reference Points. When establishing an anonymous session the 
encrypted signature key is forwarded to the chip card which decrypts the signature 
key, sign the transaction and then delete the signature key. Instant revocability can 
occur by blocking access to the Privacy Reference Point 
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An even third solution would be to use a managed Signing Server handling one or 
more Identifying Signature keys and forward a non-linkable or blinded fingerprint for 
signing. The signed fingerprint is then returned to the Chip Card and the blinding 
removed and the signature forwarded to the agreement partner. This should 
preferable use a mixnet to shield the session from linkage to the managed signature 
server. 

The Signature Server will need a traceable authentication which can be either a Chip 
Card key or a Credential based solution. To create instant revocability, this 
authentication process can be cancelled at the Signature Server. 

Other solutions could be a credential based signature using split credentials with any 
of the above principles to sign. Split credentials could be in the form of multiple 
credentials that has to be XOR'ed together to create the real signature, one credential 
in the form of an encrypted identification combined with a decryption key, or any 
combination of these including where part of the key is stored at the Chip Card. 



Privacy Credit Card Payment 

A preferred solution to Privacy-enable standard credit card or debit card payment is 
illustrated in Figure 150. The Credit Card is assumed to be a persistent number 
related to a bank account and therefore provide, identified linkage if a linkage between 
the persistent card number and the use of the credit card is stored in a database. The 
main objective is to break this link but still remain compatible with standard chip card 
payment interfaces such as the EMV standard (Eurocard, MasterCard and VisaCard). 

The Chip Card (150-20) receives standard payment information from the Shop 
Computer (150-30) through the Card Reader (150-10). Instead of encrypting and 
signing the message and then forwarding the message directly to the Financial 
Institution (150-70), the message is routed through a double layer of pseudonymisers 
making the Identity Provider (150-80) act as the Shop towards the Financial 
Institution (150-70) independently of the real Shop M (150-30). The Chip Card (150- 
20) creates an encrypted message attached to a one-time only Reference which is 
then forwarded to the Service Provider, who decrypts the message. The message 
contain information. as to the Relationship according to Figure 110 and an additional 
encrypted message with attached information to forward this message to the Identity 
Provider (150-80). The Identity Provider carries out the same operation to find an 
encrypted Chip Card payment message to forward to the Financial Institution naming 
the Identity provider the beneficiary of the payment. 

When the Identity Provider receives a payment accept from the Financial Institution, a 
payment accepts is forwarded from the Identity Provider to the Service Provider. The 
Service Provider then emulates a Financial Institution towards the Credit Card Reader 
and Shop Computer. The actual Payment is routed the same way except that methods 
to prevent linking based on timing and payment amount incorporating for instance 
escrow and multiple payments crowd effects. Payment escrow can be established 
according to the consumer regulations of both the Client home country and the Shop 
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Country. The net consequence is that the Financial Institution no longer knows who 
actually receive the payment, but convenience- and other wise this payment is 
standard looking from the point of view of the Shop. 

The Shop Computer (150-30) can use a similar principle to generate a new one-time- 
only Virtual Shop interface for each transaction and hereby preventing the PRP-service 
provider to link multiple transactions with the same shop. 

Theft protection ^ j . . 

If the chip caitl is lost the Client is in risk of impersonation and identity theft. The risk 
is dependant of the chip card authentication. Since the card deletes used References / 
Privacy Reference Points (PRPs) and healthcare data are encrypted the risk is limited 
to unused References, digital cash/credentials stored on card and digital keys for 
Privacy managed Digital Signatures. 

To block for abuse Client only has to use the unused References to block for use of 
Digital Cash and credentials through the managed service. Further protection can be 
created by voiding References as well as Digital Cash and credentials marking them 
stolen. This way abuse attempts can easily be detected if a thief tries to abuse the 
card. 

To block for Identity Theft using the digital keys for Privacy managed Digital 
Signatures, Client only has to connect to the Signature Provider and report the Digital 
keys stolen. The Signature Provider then deletes the copy of the digital signature 
encrypted with the keys specific to the card. After this the lost Chip Card has no 
longer any connection to the Digital Signature. 

The Chip Card can further contain a one-time only reference to a Lost and Found 
connection similar to creating a standard Relationship except that this can be initiated 
by a Lost and Found office similar to an emergency health care unit connecting to 
Cave data. This is sufficient to establish contact in order to return the chip card. 

Client can easily detect whether abuse has taken place due to insufficient chip card 
security. If security is violated and the thief has been able to use the chip card for 
transactions, the damage can be detected when Client traverses the unused 
References and appropriate measures can be taken without long-term consequences 
such as bad credit ratings etc. 

Theft protection is also established on products, since leaving a store without privacy- 
enabling built-in RFID-tags means you haven't paid for the product. 

In case of theft of a device such as a car, a shaver, a television, a mobile phone etc. 
enabled with Privacy Device Authentication, the thief will not be able to active the 
device because the thief will be unable to access the key. Similar to existing electronic 
theft protection of cars the theft protection depends on how perfect the digital 
authentication is integrated with the system. 



Deliberate lending or sharing of credentials 



Version: 1.0 - 2003-10-08 



Page 19 



Digital Privacy Highway in the ambient world 



To prevent deliberate loss through lending, sharing, cross-credentials (a paedophile 
verifying for a drug addicts and visa versa) etc. the Chip Card should contain 
damaging access in case it is not blocked. In order to prevent selling access to 
credentials this can be linked with something the Client does not want to give away 
access to - such as bank accounts, establishing accountability or sign legally binding 
agreements, access the personal history etc. 

A further important aspect to prevent lending of credentials would be to link Chip 
Cards in order to prevent exporting keys to non-tamper resistant Chip Cards. 



Location 

In the preferred implementation, no devices are identifiable towards external 
geographical location tracking as more than a session. To protect from abuse of the 
inherent location knowledge (as for instance triangulation of wireless devices) most 
services are blinded from their location through a virtual location somewhere on the 
network. This can be a proxy, several proxies, an inherent feature in the routing 
protocols, a more advanced anonymiser such as a mixnet or a combination of these. 

The infrastructure access provider can provide services based on the location only and 
request further profile or accountability information according to the application. For 
instance a supermarket will inherently know that the customer device is located at the 
supermarket premises. 

The wireless device either is able to define it own location using for instance a 
standard GPS satellite tracking device or as a service request from infrastructure 
tracking. But revealing the location towards any persistent pseudonym is in user 
control. 

Devices can be pre-programmed to automatically attach the geographical position or 
even switch-on a persistent tracking functionality when calling emergency numbers. 
This invention will not prevent efficient aid to accidents, but it also follows that there 
is no inherent need for location tracking to be built into infrastructure for emergency 
purposes. 

If devices are only traceable as non-linkable sessions, the access provider can provide 
the location information. In addition emergency services can be non-authenticated as 
the reverse authentication step for accountability is not relevant for emergency 
purposes. 

If a Device is enabled with Privacy Device Authentication, it can be activated remote 
without privacy implications. For instance an authentication message to a car can be 
broadcasted in case of theft and thereby enabling tracking devices. A child can have a 
device such as a watch where an authentication message can activate any service 
such as a location reply etc. The child can have the option to deny the location 
request, if the focus is on the child right to avoid parent tracking. If the device is 
equipped with more than one authentication reply for the user - one type blocking 
reply if the user don't want to activate the function and another releasing a silent 
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alarm in case of a criminal event, then a criminal can not prevent an alarm even by 
threats of physical harm. 



Devices 

The Chip card can be implemented in any number of ways. 

Connected to an untrusted card reader using wireless or direct connections. 

The dependence on an untrusted user interface can create a risk of man-in-the-mlddle 
attack in the card reader where user choice are altered in order to manipulate the chip 
card to perform an action the user has not authorised. A number of technologies and 
methods can eliminate this problem such as multiple purpose specific pin-codes, 
purpose specific Chip Cards (one for always anonymous and one for default traceable 
transactions) etc. 

Distrust towards the financial institutions can make it preferable to implement a 
solution where the store chip card reader intermediate the shop as either the Identity 
Provider (100-80) or the Service Provider (100-40). The chip card will then make a 
payment authorization which can be encrypted by the chip card reader using the 
public keys and forwarded accordingly. This method can also protect ordinary credit 
cards. 

The central credit card databases thereby can no longer determine where payments 
are made from information available. If the Identity Provider forwarding the payment 
instruction to the Financial Institution - after payment is received - encrypt the data 
linking the transaction with the point of payment according using external keys, 
privacy protection of historic transactions can be achieved. 

Further a Privacy Chip Card can be used in parallel with the non-privacy-enabled chip 
card to link the transaction to for instance a Basic anonymous Relation according to 
110. 

A better method is for the chip card itself to have a direct user interface for 
authentication and choice. This can be either using a more complex chip card or by 
combining the chip card with a trusted device incorporating a chip card reader. This 
device can be any type such as a pda (Personal Digital Assistant), a mobile phone, a 
portable computer etc. 

The same effect can be achieved even with contact cards by making them able to 
communicate wireless with an external user device handling the user interface. 
Commands from the untrusted terminal can be ignored, validated or overridden 
depending on the implementation. The consequence is protection against untrusted 
devices. 

The preferred solution would be to incorporate the chip card in a dedicated personal 
authentication device communication with other devices using wireless protocols. This 
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way the same chip card can be used to control all user devices using privacy device 
authentication to establish control with the specific device. 

This can be split into two devices in the form of Master Authentication Device 
(dedicated to handling basic keys and physical authentication across devices) device 
authenticated to a Master Communication Device (mobile phone, pda, portable, etc.) 
handling additional communication. 

End-users can easily exchange devices through lending protocols as long as the Chip 
card is personal. 

Protocols 

Privacy Reference Points - PRPs 

PRP is one-time only references acting as anonymous pseudonyms. They are created 
in such a way that only the Client is able to link multiple PRP created with the same 
Chip Card. Client can thus any communication channel including 

PRPs can be generated and shared in multiple ways. 

The most secure way would be to generate pure random input numbers in a secure 
HOME environment and share these with the Chip Card. 

These random numbers can be used to generate both a PRP as well as an 
authentication key. 

Another way would to generate random-like input could be to use an algorithm based 
method using a shared secret as seed value. One such implementation could be based 
on a low-collusion hash of a combination of a CardRef (Chip Card specific key) and a 
changing part such as a counter. 

Any stream padding chipher can generate a similar result - the quality depends of the 
degree of randomness of the algorithm. 

The sharing can be carried out either through transferring PRPs (or seed secrets for an 
algorithm based solution) encrypted with the public key of a key pair, where the 
private key is generated within the chip card and has never left the chip card or a 
shared symmetric encryption secret for instance established sing a standard Diffie- 
Helmann protocol to establish a shared encryption secret or other means. 

Another way would be to use a ring method, where each Privacy Reference Point when 
authenticated will forward a previously stored encrypted data segment which contains 
the reference to the next Privacy Reference Point 

Another way to share the PRPs could be to use Credential technology using blinded 
certificates. 
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Relationship Reference Links 

In a standard credit card payment request transaction the store transmit as a 
minimum a Shop Id, a transaction reference, amount to be paid and a date. 

When combining the Shop Id and an internal Relationship Link key, the Chip Card can 
generate a unit specific Relationship Reference Key for instance as a hash of this 
combination and use this result as a key for enable cross-transaction Hnkability and 
thereby the ability to build profiles across multiple PRP-based transactions. 

Client can encrypt this key for his personal use and only make available for instance in 
the HOME environment ensuring NO ONE except the Client can link multiple 
transactions in the same shop and still maintain complete The key can be released 
directly to the Shop to provide in-store Hnkability without any part of the 
infrastructure able to link these. By including an additional element as a hash 
parameter, the Chip Card can maintain multiple persistent relationships with the same 
shop. This could a purpose-specific key or for instance be the date or year and 
thereby creating a new relationship each day or each year. 

The preferred method to balance security, convenience and flexibility would be for the 
Chip Card to use two Relationship Reference Keys and encrypt the main Relationship 
Reference Keys with the public key of the Service Provider (150-140). The Service 
Provider can link the anonymous transaction to previous transactions with the same 
Relationship Reference Key and store a shop-specific Customer Reference with is 
returned to the shop together with stored profile information. The Service Provider 
has in the basic setup no need for accessing contents and therefore profile content 
can be encrypted so that the Service Provider only acts as a contact point providing 
storage, transaction, communication and trade support for relationship. 

As a second shop-related key, Client can instruct the PRP-provider on which data 
profile to provide for the shop. Client can for instance create a fixed shared profile 
part and have the PRP-provide link to this together with the last months profile or 
simply provide the shop access to the full shop-related profile for maximum 
convenience. 

This way the Client can independently of his own convenience decide his profile 
towards the shop. 

Group Relationship References 

The basic group connection is established as a number of anonymous Privacy 
Reference Points linked together in a group based on a shared Group Privacy 
Relationship Link. A public-private asymmetric key par is created and the private key 
is stored online in multiple versions - each encrypted with the encryption key of a 
member. 
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Any exchange can then use the shared key if all parties are to access this information 
or be directly addressed to any part - fully anonymous to central services providers. 
But members of the group can establish exactly the level and type of accountability 
preferred either using the setup described in this solution or voluntary as part of the 
relationship communication using any external solution including direct identification 
using a standard digital signature. 



Privacy Device Authentication 

To protect the Client from the environment tracing or collecting information as to the 
devices, he is carrying or accessing, a zero -knowledge device authentication can be 
used. The device requires the Client to prove possession of a secret key before 
activation. Prior to activation the device will in no way reveal its existence or reply to 
any requests. Similar the Client Authentication Device (CAD) need not reveal any 
information usable to link multiple transactions performed by the Client. 

Since the surroundings must be assumed to listen to all wireless communication, 
replay attacks where an attacker records one authentication session and later replay 
the authentication to emulate Client must be prevented even if the device has no 
ability to store prior history. The preferred way to do this is to include a for the device 
method to distinguish between prior authentication attempts and valid ones. The 
preferred solution is to include a timestamp into the protocol and have the device 
store the timestamp of the last successful authentication. In case of a replay-attack 
the device will simply Ignore the authentication attempt. 

For high-power devices with sufficient computational power an asymmetric key pair 
can be used. Each key can be used as a private key towards the other and thereby 
facility a two-way authentication. One key advantage of this implementation is that 
the private key of the device is not known outside the device making man-in-the- 
middle attacks harder. The same key can still be used for authentication, encryption 
and decryption but always used in a zero-knowledge protocol preventing externals to 
identify and link device usage. 

Each device can have multiple key pairs to reduce linkability across use. This is 
especially vital in any direct device connection between a trusted environment such as 
the HOME environment and an external environment such as such as a commercial 
entity. 

The root security principle invented and implemented through this invention is that 
any direct device identifiers such as encryption keys never has to leave the trusted 
environment - communication should preferably take place through context-specific 
pseudonyms to ensure non-linkability and flexibility. 

If a direct device connection has to be established for any purpose this should always 
be using a dedicated key pair that is not reused for anything else. Addressing should 
preferably be relative such as a PRP.<virtual device-ident'ifier> or be type reference 
such as PRP.<DEVICE TYPE Identifier. 

A unique serial number provided by the product manufacturer is consistent with this 
by providing support for the Product life cycle until purchase and being linkable to the 
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purchase PRP. In the phase where the product is in end-user control this unique serial 
number is always replaced with context-specific key pairs and preferable not 
addressed directly at all. This way the unique product serial number is therefore 
transformed into a protected root device identity. 



Device with low computational power 

For devices with insufficient computational power such as RFID-chips asymmetric 
computing is not feasible in the short term due to the technical requirements. Here 
this invention introduces the concept of light-weight Zero -knowledge authentication. 

This involves any algorithm that satisfies the requirements of authentication without 
transferring other than random session identifiers for either device involved in the 
communication. 

Using such an algorithm this can enable communication from a Client-controlled chip 
card (410-20) through either a Privacy Authenticating Device (410-90) or a untrusted 
Card Reader (410-10) through any communication network such as a LAN, WAN, 
WLAN, Bluetooth (410-250) to forward or broadcast a message through a 
communicating device (410-210) enabled for transmitting using any protocol such as 
an RFID, IP, Bluetooth, WLAN, infrared, radio waves etc. with the device to 
authenticate (410-200) such as an RFID-tag, a Bluetooth-tag, a WLAN card, a radio 
wave reader etc. The device (410-200) can further be integrated in for instance a Car 
and thus act as a digital key towards any other device. 

One preferred algorithm that abide to the tough requirements involve the Chip Card 
(410) to generate a message comprising a timestamp (DT) together with a first data 
segment (XI) and a second data segment (X2) encrypted in such a way that the 
device to be authenticated (410-200) can verify the authentication using a stored 
secret (DS) and verify the authentication is not reused by checking DT2 is newer than 
the timestamp of the last previous successful authentication (DTI). In the preferred 
solution, XI comprises a one-way low-collusion hash algorithm such as MD5 of the 
combination of the device secret (DS), a random session key (R) and the timestamp 
(DT2). X2 comprises the XOR combination of random session key (R) and a hash of 
the Device Secret (DS) and the timestamp (DT2). 

The device receive XI =H(DS || R || DT2), X2 = R XOR H(DS 1 1 DT2) and DT2. If DT2 
is less than or equal to the stored timestamp of the last successful authentication DTI 
then the authentication fails. If not the device then computes the random session key 
using the stored device secret (DS) so that R= X2 XOR H(DS 1 1 DT2) and verify the 
authentication by checking that H(R 1 1 DS 1 1 DT2) equals X2. Since only a Client 
device knowing the stored secret (DS) would be able to compute XI and verify X2, the 
device can assume it is authenticated by the proper owner and can now respond 
accordingly. 

To verify to the owner that the device knows DS it only needs to prove in zero- 
knowledge that it knows R. This can take place by returning for instance X3 = H(R). 
An authenticated session between the two devices is now established with a random 
Shared session secret R to encrypt any message using any encryption protocol. 
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Creating the initial Device Secret . 

From factory the Device or product is part of a supply chain where unique numbering 
is key to effective processes - privacy protection is not an issue and only a problem. 
The change from a non-privacy to a privacy enabled device occurs at point of 
purchase (which again can be multiple steps for instance in case of lending etc.). 
Multiple different algorithms and control procedures can ensure this change occur in a 
secure manor. 

A simple preferred method if for the product from factory to have included a unique 
Serial Number (SN), an Privacy Activation Code (AC) and in case of activation a fixed 
initial Device Secret (DS). When the product is purchased AC and DS is transferred to 
Client and the AC further transferred to the Device in the open. On first Privacy Device 
Authentication using the initial DS, Client is required to alter the DS-code to a new 
randomly selected DS. By including a block never to reuse the initial DS, Clients are 
safe against even against collaboration between the shop and the producer to listen-in 
to the communication between Client and the device. In case of an attempt to use the 
building DS, the attacker will be forced to change the DS and then the Client will 
detect it on first use as Client will not be able to authenticate with the DS provided. If 
Client doesn't want to use the ability to authenticate towards the device (for instance 
a piece of clothes with an RFID tag) then the device will for all practical purposes be. 
privacy activated. 

Privacy activation linked to purchase implements a strong theft control enforcing 
privacy. If a consumer leave a store with non-privacy activated devices, he should be 
stopped - either due to an attempted theft OR because the privacy activation does not 
function properly. This provides a positive interest in safety for BOTH the consumer 
and the shop. 



Group Privacy Device Authentication 

The basic Privacy Device Authentication protocol requires the owner to know the 
device to authenticate. In a number of circumstances this assumption does not apply 
and a group authentication protocol is needed a first step before the actual 
authentication protocol. 

Such a protocol could in a preferred implementation include storing an additional 
Group Code (GC) stored on multiple devices and a Device Identifier (DI) chosen 
specific by the client for the single device. 

The Group Privacy Authentication protocol includes a first authentication step using 
the Group Code (GC) instead of the Device Secret (DS) establishing an encrypted 
session with all devices storing the same GC. 

In a basic solution all devices can respond with their respective Device Secret (DS) 
XORed with the Random Session key (R) or a group specific random Device Id. The 
Client then looks up all the received Device Ids and retrieve the Device Secrets (DS) 
for the devices to authenticate. 
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A better and more general solution would add a vital privacy and security protection of 
linkability in case an attacker has been able to guess, break the algorithm or access a 
valid Group Code (GC). Instead of providing the Device Secrets as respond to the a 
Group Authentication the RFID operate a list of one-time-only references or encrypted 
references revealed one at a time for each transaction. The references can only by the 
intended entities be translated into the real devices identification. 

This is very useful for HOME applications where the Cient is intended to be able to 
change settings such as washing machines, television, refrigerators, room 
temperature etc. as the purchased product can be extended to include specific 
information for specific usage or processes such as re-ordering (refrigerators, coolers 
to remember and provide services on content and duration), adjusting programs 
(washing machines clothes etc.), preferences (loudness, preferred tv-channels # light 
etc.), proximity services (door opening). 

Another important solution and application is where the list of references consists of a 
list of encrypted PRP-references and authentication keys which extend the HOME 
applications to general usage. A Group Authentication will not be followed by a Device 
Authentication as this would create linkability across multiple transactions with the 
same device. 

In this range of applications the provider of the application service will connect to the 
PRP and either the application service provider or the Service Provider (in case of a 
managed service) respond with for instance a timestamp (and potentially a ticket 
number or other specific information such as a distance, location, section, seat, price 
range or other ticket specific information) defining the time period this specific ticket 
is valid. 

Subsequent request within this time-period will then result in responding with the 
same reference (plus concatenated additional information). By letting this time-stamp 
extend beyond the real end-period and combining this with a kill reference command 
extensions etc. can be purchased by linking multiple PRPs in a repeat request in a 
session. 

This is especially useful for applications where the same Group Key is used as for 
cross-Client Applications. This could be for a ticket system for use in transportation, 
car parking, road pricing, physical access system, events etc 

Even tickets for One-time-only events can be integrated in cheap multipurpose RFID 
tags by purchasing the ticket and then create a PRP storing all the relevant event 
information and prepare the RFID reference with the relevant information and Group 
Code. The related Group Code is provided by the application Service provider as part 
of the ticket purchase or by the Service Provider as part of a managed service. 

This can easily be extended to multi-ticket applications even across difference 
applications either prepared by the Client separate agreements or as part of a tour 
package with the Service provider supporting with managed services for operations 
(flights, car renting combined with hotel reservation and conference registration). 
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Device able to handle asymmetric encryption 

^S?wn above Privacy device authentication can even be carried out us.ng weak 
authentication mechanisms. 

The preferred and likely standard method will be to use strong encryption using 
asymmSric or even credential encryption in a zero-knowledge implementation. A 
delicTlble to do strong encryption can always emulate the weaker encryption 
protocols described. 

For instance it is impossible for a reader to detect whether a proximity badge is a 
w?ak^ RFID tag, a somewhat more powerful Bluetooth tag or an 

Xnce Master Authentication Device with full key management and access to WUVN, 
3G ™ ^Sher c?mmunicationa« channels in parallel with short range wireless protocols 
such as RFID-communication, Bluetooth, infrared or other local communication 
protocols. 

in the purchase process the Client assumes control of the device and either the device 
or the CHent creates a device-specific secret public-private asymmetnc key pa r. 
Secret means Sat it is NOT shared beyond the device and the owner Delegation .s 
nreferabiv done through additional secret key pairs to distinguish between 
owSadmmTsSrlnd temporary delegated authentication with reduced access. 
The private device key is blocked in the Device. 

When the Client wants to assume control any communication package can be 
rcrjpted using the public key WTTHOUT attaching any identifying certificate , or 
persistent identifier. To an external observer EACH package is zero-knowledge 
communication. 

If the device is able to decrypt the package with successful result the device can 
assume that the sender is the owner of the device. Date ^mps or chaHenge- 
responds mechanisms should be included to protect against replay atta cks, jwt 
without knowledge of the secret public device key, the attacker is not able to neither 
prepare nor decrypt a device message. 

A stronger authentication would include a two-way authentication which is ; especially 
Useful when using context-specific device keys towards specific Pjj^jj^" 
similar to the workings of a virtual identity with encryption keys managed within the 
chip card. 

Mobile devices don't have to generate PRP-specific asymmetric keys themselves. Each 
PRP and later each relationship- linked set of PRPs can have a prepared set of 
asymmetric keys stored and encrypted with a card specific decryption ^- Whe" the 
PRP is authenticated, the specific asymmetric are forwarded to th mobile » devtoa and 
decrypted. Similar the public key of the asymmetric key pair can be Jnted to the prp 
in advance towards the PRP-service provider in order to make the authentication 
process first based on a light-protocol followed by a strong authentication based on 
the ability to decrypt and access the private key. 
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Asymmetric Device-to-device authentication is simply based on an optimistic principle 
where the slave device test all approved keys at each authentication request. 

XI, X2 and X3 can be combined in one encrypted package so that for instance XI = 
Encffimestamp || R 1 1 h(R), Device Public key) in the one-way slave mode and in the 
two-key version XI = Enc(Timestamp || R II Enc(R, Privacy Master Key), Device 
Public Key). 

Similar group authentication is simple as the shared secret is exchanged with the 
public key of the group authentication key and the validation switched to strong 
encryption without exchanging certificates or keys that are not session-only. 

Context-specific Privacy Contact Points (CPCP) - 
The concert problem and Instant Messaging. 

Each part publish this days (or other changing component such as an event or context 
specific key) version of his preferred address book relationships. 

An instant messaging link message - a CPCP - could for instance be created as <PRP- 
domain>.hash(relationship secret XOR Date/Eventfetc). 

The Instant Messaging Provider is then able to match relationships efficiently across 
multiple PRP-domains by forwarding the PRP-specific CPCPs to the relevant PRP- 
providers only. This also links different Client across multiple Instant Messaging 
Providers. 

Accountability is an orthogonal issue as sharing a PLIM does not establish a 
connection until authentication towards the PRP-connection is carried out. This way 
loosing a Privacy Chip Card does NOT give the thief access to Instant Messaging 
Relationships AND at the same time requirements to accountability abide to the 
requirements of the various relationships independent of the Instant Messaging 
Provider. 

One consequence is the ability to link a mobile phone through Instant Messaging to 
any other IM device connection in a privacy enabled manor WITHOUT creating 
persistent linkability. I can ALWAYS be in contact with MY relationships without 
infrastructure tracking us. 

Shielding the PRP-domain as part of the hash is more secure for small domains (the 
domain should not in itself be revealing but commercial agreements could introduce 
discrimination) but this leads to a problem of linking across different Instant 
Messaging Providers and different PRP-domains. One solution would be to make tne 
PRP-part connection specific so that the Client Device tells the Instant Messaging 
providers to try matching ALL CPCPs towards a list of PRP-providers. 

Relationship parties do the same and upon matching Instant Messaging linkability is 
established without the messenger service knowing who talks to whom. 

Since a Relationship secret can be related to a Group Relationship combined with 
intra-group relationships this concept can be used for Groups, communities and can 
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focal CPCP relative to the Group to create group-specrfic Instant Messaging. 

Relationship Com ™V ni1 ? e * , SHa c ^ mctant Message relationship linkage as a 
This Group Relationsh.p also f^ffSSS^m^ of all the relationships of one 

and available to relationships of the other ^^JJ, to avoid sharing the 
so that they only make sense relative to a specific Client. 

contact they can create a permanent relationship. 

connection is authenticated. 

forwarded either automatically or on request. 

I throw a digital party. You are all Invited and bring your friends and the friends of 
your friends! 

General Infrastructure 

members of the Client address book. 

SSSaaKsESssasssHS. 

SCart ffiEKKK. « contmuauon of dev.ce a ument,ca«.n Into 
Device-to -Device Authentication. 
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The key principle is that device in a local and trusted environment can be linked 
whereas external connections ONLY can be linked or connected through a shielded 
session or relationship- Devices cannot be direct addressable using a persistent 
identifier by any external party in either infrastructure or in the ambient space 
because this will create linkability outside Client control. 

Device to External Device links can only be relative to the specific relationship in such 
a way that the device cannot be addressed outside the relationship. 



In many situations in a local and trusted environment it is advantageous to delegate 
device control to other devices. This could be the case of a master key device in a 
complicated multi-device product where control over minor devices is transferred to 
the central key device. 



Examples could a computer (CPU, keyboard, memory, mouse, storage, input/output 
device, network adapters etc), a car (ignition, doors, multimedia equipment, petrol 
tank, network adaptors etc.). 

Other natural would be linked appliances in the home such as multimedia (television, 
radio, CD/DVD/digital players, computers, loudspeakers, remote controls, set-top 
boxes etc.), the kitchen (cookers, refrigerator other appliances), the home office 
(printer, computers, access, servers etc.), the system (heating, lighting, ventilation, 
etc.), the security system (doors, alarms, windows, outdoor lighting etc.). 

It could also be a combination of these such as a car authenticating towards the gate 
and door opener to the garage. 

The preferred implementation of this would be for the Client to have mobile Master 
Authentication devices specialising on key management and controlling specific Master 
Communication Devices (such as mobile phones, computers, etc.) which again control 
Specific Master Devices such as household intelligent network server, cars, workplace, 
home office, other Specific Master Devices etc. 

In the bottom are the simple slave devices controlled by product tags such as RFIDs, 
Bluetooth tags or more advanced computational tags. These can both be simply 
attached to the product/device but also integrated and controlling some function such 
as a door alarm, the coffee machine, a garage door opener etc. 

Each person will have at least one Master Authentication Device for mobile use 
(reduced functionality to protect against loss or theft), a more powerful home device, 
a backup solution to transfer control to new devices in case of failure etc. 

At least two different user access roles are necessary. Firstly the 
ownership/Administrator access able to delegate device control to other device or user 
access to other Master Authentication Device holders. 
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Each person will then be able to control communication devices and through them the 
specific master devices and slave devices. 

In this setup customisation is easily done through prepared preferences triggered on 
authentication according to the device setup. For instance a small child is not required 
to do intelligent authentication, but is proximity authenticated. Bigger children can 
perhaps access everything but with reduced functionality (computers are not open for 
all sites and services, television can be restricted, etc.) and adults can have full 
control over all devices if they desire so (a Master device can drill down through the 
various devices controls to change the setting of the floppy disk drive to make it read- 
only or change the lighting system so that a specific touch switch triggers a Room 
atmosphere setting with three lamps, 22 degrees Celsius and the radio to classical 
music instead of simply be an on/off switch for two lamps) 



Applications 

Instantly Revocable chip card 

The main application of this invention is the ability to provide a fully discardable and 
instantly revocable multi-application, multi-identity Chip Card which can support 
creating, maintaining, authenticating and maintaining non-linkable relationships each 
within its own continuum of linkability of related transactions, accountability and 
communication support. 

The same Chip Card can include a Passport, a healthcare card, a credit card, digital 
signatures etc. all in a fully privacy enabled version ONLY limited by the explicit 
unavoidable linkability such as uses where the individual are identified and the 
information used in this connection and not necessary or against the agreement 
stored in a identifiable version. 

This invention explicitly implements a solution to revoke even anonymous credentials 
and digital cash by blocking the card process rather than the credential itself. This 
enables using fully anonymous credentials with protection against identity theft or 
similar problems due to loss of the card. 



Digital Relations _ 

This invention makes it possible to create generic two-way and group relationships 
with any combination of anonymity, accountability and cross-protection. 

For instance two strangers meeting can exchange contact information using Privacy 
Reference Points using either a direct wireless protocol or using a device to coordinate 
the connection. In addition to the default managed accountability solutions, the 
relationship can be pure two-way anonymous combined with a direct negotiated and 
confirmed exchange of PACCs (accountability with any combination of trusted parts or 
devices) or identification. 
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This is usable in ail situations (even remote) where people meet and wants to 
establish connection according to the situation context This include but is not 
excluded to conferences, meetings, dating services, auction sites, transport, public 
events, accidental meetings at cafes, in the street, etc. 

A special and very strenuous case is the example of a combined online and real world 
group therapy of victims of sexual abuse. Attendees want to be sure that no one is 
anonymously collecting information about the others and deliberately trying to abuse 
this information. At the same time easy and non-identified authentication and 
convenience for remote access is important. 



Privacy marketing and customer loyalty 

This invention creates the perfect support for what is known as the customer staircase 
- the gradual evolvement of a commercial or social relationship. 

Leaving an anonymous connection point is absolutely safe for the customer and yet 
there is full support for communication, payment, receiving physical deliveries to be 
enabled at any later point in time. The social and mental cost of opt-in registration is 
therefore zero for the customer removing key transaction costs for the Information 
society. 

The customer in addition has 100% Opt-out guarantee, that he can always kill the 
relationship for any reason. 

The basic setup is perfectly anonymous and from a legal perspective not transferring 
personal data from the individual to the store according to for instance the EU Data 
Directive. Subsequently customer data are likely NOT bound by the restrictions of the 
Data Directive, but can be considered 100% anonymous. 

But still there is full convenience, trade support and communication channels 
availability. If the store can justify some sort of accountability, a PACC can be 
designed accordingly and still support any balance in the relationship. 

Building customer loyalty is therefore only a question of the store service, products 
and communication. 



Life Management 

In the combination of a Privacy Authentication Device such a Chip Card can provide 
complete and secure access to ail relationships with the ability to determine the level 
of linkability by externals subject only to practical decisions such as communication 
convenience, cost and concern. 

Without changing the user interface and convenience in use for instance healthcare 
related relationships can be fully separated from other parts of the Client life. 
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Infrastructure session authentication 

traceable authentication towards infrastructure. 

-TX'SSS^ — ~ Abased, ubi^us 
device management etc. 

groups etc. in real-time and always on. 

^^^^^^^ 

CPCP. 

The same principles are easily tranferrable to other type of oonm^ such as 
ISSStSSSSs (such as WLAN) and fixed-net networks (such as IAN). 

oediSed renter acting as a proxy doinfl explicit toutmg or address sheMing. 
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The consequence is that the same relationship without increasing linkability can be 
used as entrance to both high-bandwidth protocols such as video conferencing, 
always-on protocols such as Instant Messaging, dynamic Peer-to-Peer such as Voice 
over IP, 



IPv6 

In IPv6 there is a naive notion of one IP per device. In order to provide security it 
should be one IP per device per session or rather per PRP-session. By coordinate IPv6 
with PRPs IPv6 can be upgraded to include privacy. Key is that authentication and 
accountability are independent aspects. 



Grid 

The idea of sharing computer recourses for renting of capacity and there by both 
better utilising existing computer resources and making possible massive parallel 
computing for instance for research projects are attracting a lot of attention. However, 
creating one virtual computer with direct access to all information is providing for 
massive privacy invasion and security breaches in all different aspects. 

This invention provides GRID computing with a balanced solution by de-linking 
transactions and thereby decentralising control. The basic linkable services need to be 
client-side in trusted environments tightly controlled by the Client However 
coordinating services, brokerage, PRP- providers, IM -providers etc. can make 
extensive use of GRID computing as they are characterised by the inability to abuse 
the information provided. 

Creating Privacy instant messaging across Interactive Services. 

This is for instance highly useful for interactive television sessions with distributed 
Group Television. When the content is broadcasted and the television add an overlay 
with the customised part in another two-communication line, interactive television can 
be privacy-enabled. 

For instance combining a PAD authenticated to a television session link to two-way 
relations with broadcast television. The content provider or a content service provider 
can host specific services and support the Client viewer in his use of the broadcast 
content. This is highly relevant for news programs, knowledge programs, 
entertainment etc. One can even imagine that the program has different impressions 
depending on preferences so that for instance Clients preferring happy endings to 
movies can get happy endings and other can get other endings. Similar programs can 
have various focus on the same subject so that for instance elements of programs can 
result to different tracks or content changing viewpoints, focussing on technical 
aspects or emotional aspects, more or less action, more or less romance etc. 

In addition this opens for creating entirely new program concepts and interactive 
services where highly localised and customised interactive features interact with 
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broadcast content such a game shows, quiz shows, discussions of issues related to the 
program, voting on issues, prioritising questions from the audience to interviews, 
providing input to direct the continuation of the program, rating programs etc. 

This also creates a powerful linkage between commercial interests and broadcast 
media. Online or integrated product presentations can be directly linked to the 
audience purchasing products or just creating contacts requesting further inputs. This 
can be combined with program sponsoring and other sorts of trade promotion. 

Instant Relationship can both be created Program specific (key equals 
Hash(relationship secret XOR Program specific key)), combined with ordinary instant 
messaging (Key equals Hash( relationship secret XOR Date/other non-program 
specific)) and a combination in the form of a call to participate. 

A combination of a generic PUM and a program-specific PUM creates an entirely new 
way to enable fast audience attraction to interactive activities as this creates a virus 
effect. Each Client participant pages his relationships which again pages their 
relationships etc. This works seamlessly across communication channels, protocols, 
providers of infrastructure, instant messaging, PRPs and identity services. 

One key component here is that it is non-intrusive. It ONLY works for Client that are 
actually online and has the IM and paging features turned on. 

A Client can be virtually always on by proxy using a virtual service combined with a 
trigger to locate him. This trigger can be anonymised against constant tracking using 
for instance a mixnet reply block solution, broadcast or other non-traceable or hardly 
traceable solutions. It is noteworthy that the accountability issue is orthogonal to this 
as PACC can be linked to the proxy and a authentication is integrated in the 
connection phase between the two parties. 



Privacy Rights Management (PRM) - Digital Rights Management and Content 
Distribution 

The direct link between transactions and personal control also creates a privacy 
framework for Digital Rights management. Clients Acquire rights to some content 
linked to a PRP where encrypted keys are stored. This way acquiring digital content 
does not increase linkability and yet it is accessible from everywhere independently of 
channel or media. 

One possible way would be to re-encrypt the content keys with device specific keys 
such as DVD-players, televisions, portable devices such as PDAs, portable or desktop 
computers or any other multi-media equipment etc. For high-value content dedicated 
versions of content can be created together with specific protection such as 
watermarking etc. 
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proper use 



,„ addition content -"^n^^S^i^S" 
locally, but can at any time connect and reuse_ the P™ r g^rmats using the same 



Protecting Identity Providers 

Any Client is assumed ^^^A^SS^^ ESSS* * 
personal preferences related to communicationwnwmenc^ from of access 

(ISP, telco etc.) 

sorts of devices or product tags, 
protection (broadcasting shut-down or yell commands), 
process. 
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Theft protection would simply involve enabling response without authentication. The 
owner broadcasts a theft authentication and reports the device identifiers together 
with contact information. When any reader picks up the device without authentication, 
the device is traceable and the owner can be informed. This form of theft protection 
would have the added benefit that ALL readers will be on the outlook for devices that 
are NOT privacy-enabled and reporting these. When making non-privacy enabled 
devices subject to fines or penalty the initial privacy problem Is reversed into privacy 
protection. 

Privacy-enabling Personal Accounting, cost accounting etc. 

Today most personal accounting is done through the balance side of the personal or 
family Accounts ledger (bank accounts) etc. not providing for the critical Profit/Loss 
statement describing accurately how the account period has changed the Client 
financial situation. Banks, credit card companies, Online Billing and Payment services 
are moving towards getting access to the invoices also. The consequence of linking 
identified payments with invoices is significant destruction of privacy and infomediary 
control. 

Using Privacy Reference Points Client is able to anonymously traverse his own history 
of transactions and collecting the invoices etc. for accounting purposes. ONLY the 
Client is able to do this is a trusted environment such as his own desktop at home. 

Similarly the linking of detailed invoices over product codes to the producer product 
information can provide basis of more advanced services such as cost accounting 
(calories, vitamins, allergies, general diet etc.), spending distribution on categories 
and sources (rich/poor countries etc.), but also provide for ways to distribute 
warnings from producers to customers with defect products, product updates or 
related information. 

The account perspective is especially improved given the fact that this invention 
makes it possible to do dynamic linking of historic transactions in case new focus 
emerge. For instance the growing consumer attention of the issues of radiation of 
wireless communication and the energy consumption of electronic devices is likely to 
lead to changes in product information. Producers can update product information at 
home and consumers can access this information for historic transaction in exactly the 
same way as for new transactions after the information update. 



Self-service shops 

A very advanced application of this invention would comprise of self-service shops 
combined with anonymous credit, anonymous relationship support for loyalty 
purposes, just-in-time value chain support combined with theft protection with RFIDs. 
It can work like the following. 

The Client authenticates on entry to a self-service show by authenticating towards the 
Service Provider and the Service Provider returning the encrypted shop specific 
customer number of the Client to the Shop Computer. This way a Client-specific and 
authenticated session is established between the Client and the Shop Computer for in- 
store communication services. 
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At point-of-sales (POS) of the Unique Product Identifier (UPI) of a product is collect 
from the RFID tag and transferred to the Client together with for information related 
to price, product and other conditions of the purchase such a guarantee. 
Client verify purchase and the purchase amount is authenticated using the anonymous 
credit protocol and deposited with the Service Provider combined with a . 



Privacy Delivery coordination 

This invention can easily be extended to support mail-order etc. as for instance 
delivery and brokering same-time release of payment and product can be coordinated 
through the PRP-provider. Zero-knowledge authentication related to drop-points and 
dynamic late addressing where the shipper receive information of the final drop-point 
AFTER the product has left the producer is achievable using the principles described in 
"Establishing a Privacy Communication path" , xx. 

One valuable application of this it the ability to create cheap electronic stamps with 
integrated protected addressing using RFIDs. Envelopes can be created with 
integrated tags which can be modified to both the proper pricing and receiver-control 
of addressing (to drop-points etc.). 

It should be noted that the zero -knowledge protocols presented as part of this 
invention is even stronger than in the above invention in a number of ways providing 
means to protects against some very advanced attacks such as the Shipper trying to 
trick the Client into verifying receipt of one parcel where he is in reality receiving 
another. 



Trade Brokerage 

It should be noted that this invention provides a very advanced and innovative 
extension to the above patent application in the fact that this invention does not rely 
on an identity provider to create transaction support. This invention therefore provide 
the ability to create truly anonymous support for same -time release of payment and 
product in both in-store, mail-order, and for instance for advanced auction 
applications. 



Hosted CRM and SCM 

This invention provides the means for very advanced outsourcing of support for 
customer care and supply chain processes. In principle the store does not have to 
have any internal IT except linking to the PRP-providers and professional services (call 
centre, financial management, sales/marketing etc.) for customer care and combine 
this with providers of logistics and purchase services to support product procurement. 

It is easy for the any skilled in the art that Privacy delivery can be extended for multi- 
step value-chain support. 

Multilevel SCM and CRM 
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A very strong application is that this invention supports the ability to link the entire 
value chain without changing the relative power distribution. 
The store can connect suppliers with customers without risking suppliers trying to 
reach consumer directly. In other words the store customer database is protected 
from abuse and still the store is able to make full use of supplier interest in providing 
value added services and support to the various products. This can even include mass 
customisation or tailored products made to order. 

This can be done in at least three basic ways. The easiest method is the direct where 
the PRP is considered a group relationship between the Client Consumer and the store 
as the main parties and store suppliers as sub-relations with access control by the 
store. The store can further arrange for re-routing using inhouse pseudonymisers so 
that suppliers appear as part of the store organisation. Using a principle of tickets 
each purchased product can be turned into a direct relationship connection with the 
provider under full control of the Client. This last solution would however likely lead to 
disruption of the value chains as producers would gain direct contact with end-users 
outside store influence and control. 



Adapting device to device authentication 

Washing machine group authenticate all clothes and then authenticate each individual 
piece of clothes to identify washing parameters and protect against wrong programs 
etc. Clothes can be linked to Ironers etc. 

Instead of authenticating the product tag can be adjusted to the specific appliances 
through the PRP-link to the product supplier. Each piece of clothe could store only the 
washing machine information (colour, temperature, other aspects) without storing any 
product identifying information. This reduces the risk and complexity. Also it ensures 
backward and forward compatibility of the device to device authentication if only the 
product tag can be updated and the (PRP) link to the product supplier is established. 

For instance a Client can contact the producer of clothes or food with the 
specifications of the version of the washing machine or refrigerator. The product 
information can then be formatted according to the specific appliance device to 
provide a simple interface as an extract from the detailed for instance XML-formatted 
product information. In other words the product owner can maintain and update a 
product inventory with more detailed information that is made available in the product 
tag for day-to-day operations. 

Road Pricing / ticketing / Public Transport payment / Car Parking etc. 
A very advanced solution would include a combination of even simple RFID-tags with 
multiple different Group Authentication specific to for instance public transport, car 
parking etc. 

Each Group Authentication key would upon a Privacy Device Authentication release a 
PRP-reference pre-encrypted with a public key of the provider of services (e.g. 
transport company) together with an authentication pre-encrypted for the Service 
Provider of the PRP. The provider of service would then forward the message to the 
PRP who upon authentication would release pre-encrypted tickets, tokens or payments 
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Abuse in this setup is therefore primarily limited to the quality of biometrics in itself 
and the ability to establish passports linking one set of biometrics with another 
identity which is basically a problem related to the issuing authority which will then be 
traceable, A way to detect such organised abuse would be to include statistical 
verification of passports from various issuers based on random linking of verifiers and 
issuers to prevent organised collaborations. 



Referrals 

Doctors referring to further investigation at for instance x-ray etc. can be done 
through context-specific pseudonyms and tickets. A patient can go to a HIV-test anc 
have it made without identifying towards the Healthcare person. DNA biometrics is 
NOT ensured this way and actual tissue and other organic samples has to be treated 
with care not to get directly linked with any digitally identifying information. 



Electronic voting 

A very advanced form of electronic voting can be enabled by combining PRPs with 
credentials. PRPs are inherently anonymous unless they are linked to a PACC and 
credentials are by nature anonymising which make the entire vote anonymous. 

All citizens can receive a one-time-only credential for at specific vote event. Each 
credential is non-transferable if lock to a digital signature. 

Using any Privacy Device Authenticated communication device, the citizen can 
establish an anonymous connection and use his credential to enter the voting booth 
where he can then vote anonymously. 

This can be combined with entering a physical boot so that nobody can be forcing the 
voter to make a different vote than the voluntary and best informed democratic vote. 
The purpose of this is to protect against forced or traded votes. 

To protect trust towards errors in vote counting, each vote can be published with a 
reference for instance created as a hash of a random pin and a non-linkable part 
derived from the credential. By comparing the total number of votes with the number 
of credentials, the vote can be protected from vote spoofing and each vote can be 
verified by the citizen, who made the vote. 

To protect against blackmail or other forced alterations of votes, the voter can be 
equipped with means to fake any vote. One way would be on request in the voting 
booth to generate both the normal vote and a foil set of false votes displaying 
different pins for each vote together with adding a counter to subtract a vote from 
each possible vote. 

The voter can then without indicating which vote he was supposed to make mentally 
note down the pin and thereby plausibly claim any vote. He will however still be able 
to verify that he voted for the correct candidate and the voting officials can verify that 
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votes are EITHER single (normal votes) OR a single votes combined with a full set and 
a subtraction counter. 

and especially on selected relevant hotspots such as petrol-stations, femes, car parks, 
border crossings etc. 

and removal of this control similar almost impossible. 
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side-effects. 

But even without a GPS tracker a theft authentication can mark the device stolen and 
also make the device unusable. 

Locating children (in Zoo etc.) 

The dark room solution (Cafe, Disco, conference, event) 

S aTbasXne a shared key which is shielded with the event specific key (for 
instance DS(event)=DS(Relationship) XOR Event Key). 

He checks If any of his Relations are present already by verifying requests against his 
event-specific address book. 

He then stores call for Relations for new arrivals after his. He can also create for 
S^Sm^Q»« or just leave Event-specific profile and contact information 
for historic use. 

When leaving the event, he removes his stored Relationship Authentication, 
reply) 

Privacy Instant Messaging and anonymous Contact information for anonymous 
communications channels 
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Money anti-counterfeit 

Plans are emerging to use RFIDs in money notes to protect against counterfeit money. 
This invention provides an advanced solution against counterfeiting that is at the 
same time privacy preserving. The group authentication code combined with a 
number of non-linked references can be use to create any desired property of 
counterfeiting which can be both off-line, online or a combination. 

The off-line version can simply be implemented by money issuer to sign the hash 
combination of a series of random references, a unique note number and the 
monetary value of the money note and store these together with the reference 
number. The note specific Device Secret can be a unique note number requiring 
visible access to the note. Since the Device Authentication is providing a shielded 
session secret R only the verifier can carry out the verification. These can even better 
shielded by more complex algorithms. 

The online version is more troublesome as this can lead to tracing of notes. This can 
be solved using anonymous and non-linkable transactions. Each note have a number 
of non-likable one-time-only PRPs providing a check for counterfeit and especially 
protect against copying the RFIDs. 

This could Include removing the unique note number and instead use the same Group 
Authentication Code for a larger selection of money notes. 

Another element would be to combine this with a revolving method so that each PRP 
contain authentication and encrypted information about the next PRP. This information 
is transferred to the RFID. If the RFID-note is a copy then the copy would invalidate 
the original as only one string of PRPs could work at the time. In other words 
accessing and splitting the RFID of an original would not provide multiple PRPs to 
make multiple copies. 

A further advantage is that taxes etc. can be collected as part of anonymous 
transactions and thereby reduce the administration for companies and trace of citizens 
and companies. 

Money foundering 

It should be notes that in the preferred setup the electronic payment system in this 
invention has a built-in anti-money-loundering scheme in the closed loop monetary- 
system - money is transferred to/from bank accounts and only entering passing 
through one transaction where taxes etc. can be ensured. 

This scheme assumes that cost of transferring money to and from banking accounts is 
only covering the real cost - otherwise the anti-money-loundering scheme can be 
abused by banks to create an artificial fee structure with abnormal profits. In such 
case recirculation of electronic cash should be used to create a free cash flow until 
abnormal fees have been removed from the pricing structures. 
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Linkabiiity can be created according to the offence so that mild tickets are not 
linkable, but significant speed-driving require the creation of signed acknowledgement 
of speeding. 

If the driver refuse to create linkabiiity or to accept the fine, then and ONLY then the 
proof is stored and available to the relevant authorities. This can be further combined 
with the road pricing programme to block further access. 



Privacy preference coordination and Ubiquitous information coordination 

A very important application of this invention is establishing privacy control of the 
ubiquitous, ambient intelligent and semi-public spaces. 

Any sensor recording information that is potentially abusable can automatically 
require receive accept from any person present even to initiate recording. Since this 
accept can be time-limited this can be propagated to the recording to be deleted or 
the decryption keys to.be deleted after a certain time-span. 

A specially valuable feature may be an option to pre-accept recording and retaining 
the option to delete the recording AFTER the event based on either a passive (deleted 
if no confirmation after the event) or active (recording is stored unless the person 
requests so). 

A very valuable add-on is the ability to establish asymmetric links for everyone with a 
natural interest in the recorded material such as a recording of a discussion, a picture, 
a video etc. 

In the authentication process the sensor devices receive one-time-only references to 
each person present. By storing here information about the sensor, references to the 
recorded material and information on how to access the material, each person present 
can in real-time or as long as the recording is stored access the material for personal 
use. 

One additionally relevant feature here is that each person has a different reference to 
the recording as this is relative to the event itself, but not just globally available. Each 
participant has a separate PRP to link to the event and the reference is thus 
established relative to the participant-specific PRP for instance in the form of <PRP- 
reference>.<Recording-reference> / where <Recording-reference> is only context- 
unique for instance as a number sequence reused among all events. In other words 
knowing the Recording-reference without a relevant PRP does not provide linkabiiity or 
access. 

Recordings from any gathering of people can as such be instantly shared among 
participants which is highly useful for social events (e.g. parties, interesting 
discussions, etc.), academic (conferences, brainstorming, problem analysis), 
education (in classroom discussion, remote access), commercial (e.g. any agreement, 
meeting, exhibition etc.), public (e.g. negations with tax officers etc.)- 
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This could for instance be highly valuable in the case of phone-based ordering of 
goods and services. Voice recordings are biometrics and identifying. Therefore 
recordings are link information destroying privacy - at the same time there are 
situation where a recording is valuable to validate what was the actual agreement in 
case of dispute. An acceptance could be to accept recording on two conditions - a) 
When the deal is over and ail obligations meet the recording is deleted and b) that the 
recording is encrypted using keys from both participants so that no party can access 
the recording without the approval of the other party. 

Another scenario is an event where someone takes a picture and this picture is both in 
real-time and post-event available to any present to remember. 



Legal and standards Issues 

RFID and other wireless device components can by law be disallowed to reply without 
authentication to protect privacy. 

Combined with this invention Stores interests are aligned with consumers and 
producers. IF an RFID, Bluetooth or other device is detectable without dedicated 
authentication upon exit from the store means one of two things - EITHER the 
product is being stolen OR some product does not apply to basic privacy standards 
meaning the consumer is not protected AND both the store and the producer has no 
digital support for the established consumer relationship. 

In case of theft for instance doors should block combined with an alarm. The product 
is easily beatable as it itself tells both which product it is and where it is. 

In case of a product error, this is customer service and the producer should be 
notified and perhaps even be charged a fine for violating privacy and damaging shop 
customer relationships. 
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